[pve-devel] RFC : iptables implementation
Dietmar Maurer
dietmar at proxmox.com
Wed Jan 29 07:18:51 CET 2014
> The main idea is to reduce a maximum rules lookup for performance.
>
> 1) the forward rules are splitted by bridge, and we only check rules for tap
> devices on this bridge. This reduce a lot lookups if you have a lot of bridge
> (bridgevlan for example)
> 2) the inter-bridge routing is dropped by default.
> 3) the tap outgoing rules are always processed before incoming. We need to use
> RETURN in outgoing rules, but we can use ACCEPT in incoming rules.
> That good, because we can stop lookups when ACCEPT.
Looks good for me. But we need some scripts in order to test that. Maybe
we can re-use code from 'pve-firewall'?
More information about the pve-devel
mailing list